[openstack-dev] [keysstone] External authentication

Dolph Mathews dolph.mathews at gmail.com
Tue Oct 2 16:17:38 UTC 2012 

I'm curious about the "external" attribute in that request body (JSON
supports native booleans, btw, so it should preferrably read {"external":
true})... regardless, how are you using that attribute in your
implementation? What happens if it's some value other than "True"? I
expected to see something in your ExternalAuthMiddleware about it, but it
must be somewhere else -- link?

I'm particularly asking because if there's a use case here that can be
generalized, I'd like to include it in
https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md

-Dolph


On Tue, Oct 2, 2012 at 11:07 AM, Ralf Haferkamp <rhafer at suse.de> wrote:

> On Thu, Sep 27, 2012 at 01:52:25PM -0400, Adam Young wrote:
> > On 09/27/2012 04:15 AM, Ralf Haferkamp wrote:
> [..]
> > >>>BTW, has anybody else been working on this already? Does this even
> sound like a
> > >>>feature worth adding?
> >
> >
> > Yes, I have, but you are aehad of me.  Please post your patch.  It
> > is the right approach.
>
> I have just pushed the code to the "external-branch" in my github clone at:
> https://github.com/rhafer/keystone/tree/external-auth
>
> Feel free to review and comment. It still needs quite a bit of testing.
> But the
> basics seem to work for me. Currently, to use external authentication you
> need
> to POST something like this to the /tokens URL (as with username/password
> authentication the "tenantName" is optional):
>
>     {
>         "auth": {
>                 "external": "True",
>                 "tenantName": "test"
>         }
>     }
>
> Of course you need keystone be backed by apache and apache configured to do
> somekind of authentication (up to now I just tested with mod_auth_kerb).
> Additionally the ExternalAuthMiddleware needs to be added to keystone's
> service
> pipelines in keystone.conf
>
> I didn't have time yet to implement anything on the client side. Up to now
> I
> just used curl for testing. E.g. this works to request a scoped token using
> kerberos authentication:
>
>     curl -u : --negotiate http://<keystone-server>:5000/v2.0/tokens \
>         -d '{"auth": {"external": "True", "tenantName": "test"}}' \
>         -H "Content-type: application/json"
>
> Feedback is very welcome. Regards,
>     Ralf
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20121002/ddec0390/attachment.html>

More information about the OpenStack-dev mailing list